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Abstract 

Lattice reduction algorithms have numerous applications in number theory, algebra, as well 
as in crypt analysis. The most famous algorithm for lattice reduction is the LLL algorithm. 
In polynomial time it computes a reduced basis with provable output quality. One early 
improvement of the LLL algorithm was LLL with deep insertions (DeepLLL). The output of 
this version of LLL has higher quality in practice but the running time seems to explode. 
Weaker variants of DeepLLL, where the insertions are restricted to blocks, behave nicely in 
practice concerning the running time. However no proof of polynomial running time is known. 
In this paper a new variant of DeepLLL with provably polynomial running time is presented. 
We compare the practical behavior of the new algorithm to classical LLL, BKZ as well as 
blockwise variants of DeepLLL regarding both the output quality and running time. 

Keywords: Lattice Reduction, LLL Algorithm, Deep Insertion 
Mathematics Subject Classification (2000): 68R05 and 94A60 

1 Introduction 

The -well-kno-wn LLL lattice reduction algorithm was presented in 1982 by Lenstra, Lenstra, Lovasz 
|LLL82| . Apart from various other applications (e.g. |NV101 Chapter 9,10]) it has already at an 
early stage been used to attack various public key cryptosystems. Nevertheless lattice problems 
remain popular -when it comes to the construction of provably secure cryptosystems (e.g. |NV10[ 
Chapter 13]). Consequently improvements in lattice reduction still have a direct impact on the 
security of many cryptosystems and rise high interest in the crypto-community. 

Many lattice reduction algorithms used in practice are generalizations of the LLL algorithm. The 
Block-Korkine-Zolotarev (BKZ) reduction algorithm by Schnorr and Euchner [SE94j is probably 
the most used algorithm -when stronger reduction than the one achieved by LLL is required. It 
can be seen as a generalization of LLL to higher blocksizes, and -while the running time seems to 
behave well for small blocksizes |GN08j . no useful upper bound has been proven so far. Another 
improvement of the LLL algorithm has also been suggested in SE94 . While in LLL adjacent basis 
vectors are swapped if certain conditions are satisfied, in the so called LLL -with deep insertions 
(DeepLLL in the sequel), basis vectors can be swapped even when not adjacent. The practical 
behavior of DeepLLL when it comes to the reducedness of the output basis is superior the one 
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of LLL. Unfortunately also the running time explodes and does not seem to be polynomial in the 
dimension of the lattice. One attempt get across this problem, is to restrict the insertions to certain 
blocks of basis vectors. While the authors in |SE94| claim that these blockwise restriction variants 
of DeepLLL run in polynomial time, we are not aware of any proof thereof. For an overview on the 
practical behavior of the different variants and improvements on LLL, we refer to |NS06[ IGN08| . 
There the practical behavior of the reduction algorithms is investigated using the widely used NTL 
library. 

In this paper we present a new version of DeepLLL, called PotLLL. To our knowledge it is the 
first improvement of LLL with regard to deep insertions which provably runs in polynomial time. 
The practical behavior of PotLLL regarding both the output quality and running time is empirically 
tested and compared to BKZ and DeepLLL with different blocksizes. The tests are performed with 
a completely new implementation of the different reduction algorithms. This additionally allows an 
independent review of the results in INS06[ [GN08] . The tests indicate that our algorithm can serve 
as a serious alternative to BKZ with low blocksizes. 

The paper is organized as follows. In Section [2] all necessary notations and definitions are given. 
In Section |3] the reduction notion and the new algorithm is presented and a theoretical analysis is 
provided. Section |4] contains the empirical results and conclusions are drawn in Section [Sj 



2 Preliminaries 

A lattice L C of rank n and dimension to is a discrete subgroup of generated by integer 
linear combinations of n linearly independent vectors &i, . . . , 6„ in M™: 



C = £(6i, . . . , 6„) := -j ^ Xib, 



Vi : a;,- e Z 



We will often write the basis 61 , . . . , 6„ as rows of a matrix B in the following way i? = [61 , . . . , 6„] . 
In order to have exact representations in computers, only lattices in Q" are considered. Simple 
scaling by the least common multiple of the denominators allows us to restrict ourselves to integer 
lattices C C Z™. The volume of a lattice C{B) equals the volume of its fundamental parallelepiped 
vol (£) = v/det(BB*). For 71 > 2, a lattice has infinitely many bases as C{B) = C{B') if and only 
if 3C7 G GL„(Z) : B = UB'. Therefore, the volume of a lattice is well defined. By tt^ : K™ 
span {61, ... , fcfc-i}^ we denote the orthogonal projection from K™ onto the orthogonal complement 
of span {&i, . . . , 6fc_i}. In particular, tti = idRm and h* :— ^.^{bi) equals the i-th basis vector of the 
Gram-Schmidt orthogonalization B* = of B. By /i^j := {bi,b*) / {b* ,b*), j < i, we 

denote the Gram-Schmidt coefficients. The Gram-Schmidt vectors can iteratively be computed by 
Mh) = b* = h- Y.'p^ 

Throughout this paper, by ||-|| we denote the Euclidean norm and by Ai(£) we denote the 
length of a shortest non-zero vector in C with respect to the Euclidean norm: Ai(£) := min„g£||u||. 
Determining Ai(£) is commonly known as the shortest vector problem (SVP) and is proven to 
be NP-hard (under randomized reductions) (see e.g. |MG02j ). Upper bounds with respect to the 
determinant exist, for all rank n lattices C we have |NV10j 

vol(/:)2/» -T"-^+4' 



2 



where 7„ is the Hermite constant in dimension n. Given a relatively short vector v £ C, one 
measures its quality by the Hermite factor ||w||/vol (£)^/" it achieves. Modern lattice reduction 
algorithms achieve a Hermite factor which is exponential in n and no polynomial time algorithm is 
known to achieve linear or polynomial Hermite factors. 

Let Sn denote the group of permutations of n elements. By applying tr e 5„ to a basis B = 
[61, . . . , bn], the basis vectors are reordered aB — [6cr(i)i ■ • ■ 1 ^(T(n)]- For l<fc<^<nwe define a 
class of elements ak/ G Sn as follows: 

{i for i < k OT i > £ , 

I iOT i^k, (2.1) 

i - 1 for k <i < i. 

Note that (7^. £ = crfe.fe+i(Tfe+i,fc+2 ' ' • o'f-i,^ and that cTfe^fe+i is swapping the two elements k and fc + 1. 

Definition 2.1. Let 5 S (1/4, 1]. A basis B — [bi, . . . , bn] of a lattice C{bi, . . . , 6„) is called (5-LLL 
reduced if and only if it satisfies the following two conditions: 

1- < j < i < n : l/iij i < 5 (size-reduced). 

2. 1 < k < n : S ■ ||7rfc(6fe)||^ < ||7rfe(6fc_|_i)||^ (Lovdsz- condition) . 

A (5-LLL reduced basis B = [61 , . . . , 6„] can be computed in polynomial time |LLL82) and 
provably satisfies the following bounds: 

< (5-1/4)"^""'^^' •Ai(/:(S)) and ||5i|| < (,5 - 1/4)"^""'^^^ vol (£(5))!/". (2.2) 

While these bounds can be reached, they are worst case bounds. In practice, LLL reduction 
algorithms behave much better |NS06| . One early attempt to improve the LLL reduction algorithm 
is due to Schnorr and Euchner jSE94| who came up with the notion of a DeepLLL reduced basis: 

Definition 2.2. Let 5 S (1/4,1]. A basis B = [bi, . . . ,bn] of a lattice £(61,..., 6„) is called S- 
DccpLLL reduced with blocksize /3 if and only if it satisfies the following two conditions: 

1- yi < j < i < n : l/iij i < 5 (size-reduced). 

2. yi<k<e<n with k<pwk-i<P: S - ||7rfc(fefe)|P < \\TTkibe)\\^. 

li f3 = n we simply call this a DeepLLL reduced basis. While the first basis vector of DeepLLL 
reduced bases in the worst case does not achieve a better Hermite factor than classical LLL (see 



Section 3.4 1, the according reduction algorithms usually return much shorter vectors than pure 
LLL. Unfortunately no polynomial time algorithm to compute DeepLLL reduced bases is known. 

The following definition is used in the proof (see e.g. [MG02]) of the polynomial running time 
of the LLL reduction algorithm and will play a main role in our improved variant of LLL. 

Definition 2.3. The potential Pot(_B) of a lattice basis B = [61, . . . , 6„] is defined as 

n n 

Pot{B) := n (^(^1' • • ■ ' = n • 

i=l i=l 

Here it is used that vol (£) = IliLill^i II- Note that, unlike the volume of the lattice, the potential 
of a basis is variant under basis permutations. The following lemma describes how the potential 
changes if ct]^ i is applied to the basis. 
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Lemma 2.4. Let B — . . . , bn] he a lattice basis. Then for 1 < k < £ < n 

Po.K,B).P„.(B,^nM||, 

Proof. First note that it is well-known that Pot(CTfe,fc+ii?) — \\TTk{bk+i)\\'^ /\\T^k{bk)\\^ ■ Pot(_B). This 
property is used in the proofs of the polynomial running time of LLL |LLL82[ IMG02| . 

We prove the claim by induction over i — k. The claim is true for k = i. For k < £, ak^e = 
<^k,k+i<^k+i.e- As bf is the {k + l)-th basis vector of ak+i/B, with the above identity we get 
Pot((Tfe,^.B) = Pot{ak^k+i(^k+ijB) = |h\^^'|ll2 • Pot{ak+i,iB), which completes the proof. □ □ 



3 The Potential-LLL Reduction 

In this section we present our polynomial time variant of DeepLLL. We start with the definition of 
a (5-PotLLL reduced basis. Then we present an algorithm that outputs such a basis followed by a 
runtime proof. 

Definition 3.1. Let 6 € (1/4, 1]. A lattice basis B = . . . ,6„] is J-PotLLL reduced if and only 

1- < j < i < n : l/iij i < 5 (size-reduced). 
2. \/l<k<£<n:5- Pot(S) < Pot{ak,eB). 
Lemma 3.2. A 6-PotLLL reduced basis B is also 5-LLL reduced. 



Proof. Lemma[2!4|shows that 6-Poi{B) < Pot((T,,^+iB) if and only if (5||7ri(6j)|j2 < \\TTi{bi+i)\\'^ . Thus 
the Lovasz condition is implied by the second condition in Definition |3.1| restricted to consecutive 
pairs, i.e. £ = k + 1. □ □ 

Lemma 3.3. A S-DeepLLL reduced basis B is also S"~^-PotLLL reduced. 

Proof. We proceed by contradiction. Assume that B is not (5"^^-PotLLL reduced, i.e. there exist 



1 < k < £ < n such that 5" ^Pot(i3) > Pot{ak,eB). By Lemma 2.4 this is equivalent to 



It follows that there exist a j G [k,£- 1] such that \\TTj{beW /\\T:j{bj)\\^ < ^("-i)/!^"*) < S which 
implies that B is not 5-DeepLLL reduced. □ □ 



3.1 High-Level Description 

A high-level version of the algorithm is presented as Algorithm [T] The algorithm is very similar to 
the classical LLL algorithm and the classical DeepLLL reduction by Schnorr and Euchner |SE94] . 
During its execution, the first £ — 1 basis vectors are always (5-PotLLL reduced (this guarantees 
termination of the algorithm). As opposed to classical LLL, and similar to DeepLLL, £ might 
decrease by more than one. This happens precisely during deep insertions: in these cases, the £-th 
vector is not swapped with the {£— l)-th one, as in classical LLL, but with the fc-th one for k < £— 1. 
In case k = £ — 1^ this equals the swapping of adjacent basis vectors as in classical LLL. The main 
difference of PotLLL and DeepLLL is the condition that controls insertion of a vector. 
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Algorithm 1: Potential LLL 


Input: Basis B e Z"^", ^ e (1/4, 1] 


Output: A (5-PotLLL reduced basis. 


1 £ 


4- 


1 


2 while £ < n do 


3 


Size-reduce(i3) 


4 


k 


-s- argniini<^<^Pot(crj^fB) 


5 


if (5 • Pot(B) > Pot{ak,£B) then 


6 




B ^ ak.eB 


7 






8 


else 


9 






10 


end 


11 end 




12 return i? 



3.2 Detailed Description 

Tliere are two details to consider when implementing Algorithm [ij The first one is that since the 
basis vectors 6i, . . . ,hi-i are already J-PotLLL reduced, they are in particular also size-reduced. 
Moreover, the basis vectors 6^+1, . . . , 6„ will be considered later again. So in line [3] of the algorithm 
it suffices to size-reduce 6^ by 6i, . . . , hi-i as in classical LLL. Upon termination, when £ = n -I- 1, 
the whole basis will be size-reduced. 

Another thing to consider is the computation of the potentials of B and (Jj/B for 1 < j < t 
in line |4j Computing the potential of the basis is a rather slow operation. But we do not need to 



compute the potential itself, but only compare Vot{ak/B) to Pot(i?); by Lemma 2.4 this quotient 
can be efficiently computed. Define Pfc £ := Pot(crfc_^i3)/Pot(i?). The "if" -condition in line [s] will 
then change to 5 > Pk,t., and the minimum in line|4]will change to argmin]^<j<^P,-^f . Using P^_£ = 1 
and 

- -Potior ■ ¥M¥ "^'^'^ m ^ 



for j < £ (Lemma 2.4 1, we can quickly determine argmiuj^^^^^Pj^ and check whether 6 > P^i if j 



mmimizes fj^i^. 



A detailed version of Algorithm [T] with these steps filled in is described as Algorithm [2j On 
line [t] of Algorithm [2j Pj^i is iteratively computed as in Equation (3.3). Clearly, the algorithm 



could be further improved by iteratively computing ||7rj(6f)|| from ||7rj_|_i(&£)|| . Depending on the 
implementation of the Gram-Schmidt orthogonalization, this might already have been computed 
and stored. For example, when using the Gram-Schmidt orthogonalization as described in Figure 4 
of jNS05| . then ||7rj(6^)|p = Sj_i after computation of H^^jp and ji^j for I < j < £■ 

3.3 Complexity Analysis 

Here we show that the number of operations in the PotLLL algorithm are bounded polynomially 
in the dimension n and the logarithm of the input size. We present the runtime for Algorithm [2j 
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Algorithm 2: Potential LLL, detailed version 



Input: Basis B e Z"^™, 5 e (1/4, 1] 
Output: A 5-PotLLL reduced basis. 

while £ < n do 

Size-reduce(&^ by 6i, . . . , bi-i) 
Update(||6|||2 and /lej for I < j < £) 
P^l, P„,i„ ^ 1, ' fc ^ 1 
for j = £ — 1 down to 1 do 



p ^ p- 

if P<P„ 



then 

P ■ -t^ P 

^ mm ^ 

end 
end 

if 5 > Pmin then 
B ^ ak/B 
Update(||6;^ 
£^k 
else 

end 



and Hkj for 1 < j < fc) 



20 end 

21 return B 
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Proposition 3.4. LetS E (1/4,1) anrf C — maxi=i...„||6i||^. Then Algorithm^performs 0{n^ logi/g(C)) 
iterations of the while loop in line^and a total of 0{{n + m)n'^\ogi/g{C)) arithmetic operations. 

Proof. Let us start by upper bounding the potential / of the input basis with respect to C. Let 
d, := vo\{C{bi,...,b,)f = riLill^JI!' for j = l,...,n. Recall that < \\b,\\^ < C for 

i = 1, . . . , n and hence dj < . Consequently we have the following upper bound on the potential 

n— 1 n— 1 

I=Y[dj- vol (£) < n • ('^) ^ C*""^ • vol (£) . (3.4) 

Now, by a standard argument, we show that the number of iterations of the while loop is bounded 
by 0{n^ \ogi^g{C)). In each iteration, either the iteration counter £ is increased by 1, or a swapping 
takes place and £ is decreased by at most n — 1. In the swapping case, the potential is decreased 
by a factor at least S. So after N swaps the potential In satisfies / > (l/S)^ In > (1/'^)^ ' vol (£) 
using the fact that In > vol (C). Consequently the number of swaps N is bounded by TV < 



logi/5(//vol(£)). By Equation (3.4| we get that N < logi/5(C"(""i'/2). Now note that the 
number M of iterations where £ is mcreased by 1 is at most M < {n — 1) ■ N + n. This shows that 
the number of iterations is bounded by 0{n^ logi/g{C)). 

Next we show that the number of operations performed in each iteration of the while loop is 
dominated by 0{n^ + nm) operations. Size-reduction (line [3| and the first update step (line |4| 
can be done in 0{nm) steps. The for-loop consists of 0{n) iterations where the most expensive 
operation is the update of P in line [t] Therefore the loop requires 0{n^) arithmetic operations. 



Swapping can be done in 0{n) operations, whereas the second update in line 15 requires again 
O(ri^) operations. 

It follows that each iteration costs at most 0{n'^ + nm) arithmetic operations. This shows that 
in total the algorithm performs 0{{n + m)n'^ log(C)) operations. □ □ 



3.4 Worst-Case Behavior 

For (5=1, there exist so called critical bases which are (5-LLL reduced bases and whose Hermite 



factor reaches the worst case bound in ( 2.2 ) |Sch94| . These bases can be adapted to form a DeepLLL 
reduced basis where the first vector reaches the worst case bound in (2.2). 



Proposition 3.5. For a = ■\/3/4, the rows of B — v4„(a) (see below) define a 6-DeepLLL reduced 
basis with 6 ^ 1 and = ^(„-i)/2 Vol {C{An)y/". 



(\ 



a" 



(3.5) 



V 



Proof. From the diagonal form of An it is easy to see that vol (£) = det(A„) = a"^" '^)/'^^ Hence 
||6i||^ = 1 = 1/q;("~^^/^vo1 (£). It remains to show that An is DeepLLL reduced. Note that B* 
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is a diagonal matrix with the same entries on the diagonal as B. Note that it is size reduced as 
for all 1 < j < i < n we have = {b,,b*)/{b*,b*) = ia20-i)/Q,20-i) ^ i_ Further, using that 

TTjibi) = b* + J2'eZ] f^i.eK^ have that 



-i-i 



v2(j-l) 



As for a = 73/4' have that j Efco"^ + "^^'"^^ 1' hence \\Trj{bi)\\^ = a^O-i) = 
Therefore, the norms of the projections for fixed j are all equal, and An{a) is (5-PotLLL- 
reduced with 5=1. □ □ 



Using Lemma 3.3 we obtain: 
Corollary 3.6. For a = ■\/3/4, the rows of An (a) define a 6-PotLLL reduced basis with 6 = 1 and 

l|6i||2 = ^jT^voi(/:(^o)i/«. □ 



4 Experimental Results 

Extensive experiments have been made to examine how the classical LLL reduction algorithm 
performs in practice }NS06| IGN08| . We ran some experiments to compare our PotLLL algorithm 
to our implementations of LLL, DeepLLL, and BKZ. 

4.1 Setting 

We run the following algorithms, each with the standard reduction parameter S = 0.99: 

1. classical LLL, 

2. PotLLL, 

3. DeepLLL with blocksize /3 = 5 and /3 = 10 (the latter up to dimension 240 only), 

4. BKZ with blocksize 5 (BKZ-5) and 10 (BKZ-10). 

The implementations all use the same arithmetic back-end. Integer arithmetic is done using GMP, 
and Gram-Schmidt arithmetic is done as described in |NS051 Figures 4 and 5]. As fioating point 
types, long double (x64 extended precision format, 80 bit representation) and MPFR arbitrary 
precision floating point numbers are used with a precision as described in |NS05j . The implemen- 
tations of DeepLLL and BKZ follow the classical description in |SE94| . PotLLL was implemented 
as described in Algorithm [2] (page |6| . 

We ran experiments in dimensions 40 to 300, considering the dimensions which are multiples 
of 10 from 40 to 200 and dimensions that are multiples of 20 from 200 to 300. In each dimension, 
we considered 50 random lattices. More precisely, we used the lattices of seed to 49 from the SVP 
Challenge^ For each lattice, we used two bases: the original basis and a 0.75-LLL reduced basis. 

All experiments were run on Intel® Xeon® X7550 CPUs at 2 GHz on a shared memory machine. 
For dimensions 40 up to 160, we used long double arithmetic, and for dimensions 160 up to 300, 

^http : //www. latticechallenge . org/ svp- challenge 
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we used MPFR. In dimension 160, we did the experiments both using long double and MPFR 
arithmetic. The reduced lattices did not differ. In dimension 170, floating point errors prevented 
the long double arithmetic variant to complete on some of the lattices. 



4.2 Results 

For each run, we recorded the length of the shortest vector as well as the required CPU time for the 
reduction. Our main interest lies in the n-th root of the Hermite factor yo^^ji/n ; where bi is the 
shortest vector of the basis of C returned. Figure [l] (see pages 12p4 for all figures) compares the 



average n-th root of the Hermite factor and average logarithmic running time of the algorithms for 
all dimensions. The graphs also show confidence intervals for the average value with a confidence 
level of 99.9%. 

As one can see, there is a clear hierarchy with respect to the achieved Hermite factor. Our 
PotLLL performs better than BKZ-5, though worse than DeepLLL with /3 — 5 and BKZ-10, which 
in turn perform worse than DeepLLL with /3 = 10. The behavior for preprocessed bases and 
bases in Hermite normal form is very similar. We collected the average n-th root Hermite factors 
. vol(£)~^/"^ in Table [l] and compared them to the worst-case bound in Equation (2.2) 



Our data for LLL is similar to the one in |NS06| and |GN08| Table 1]. However, we do not see 
convergence of the n-th root Hermite factors in our experiments, as they are still increasing even 
in high dimensions n > 200. 



Dimension 


n = 100 


n = 160 


n = 220 


n = 300 


Worst-case bound (proven) 


R:! 1.0774 


w 1.0777 


w 1.0778 


w 1.0779 


Empirical 0.99-LLL 


1.0187 


1.0201 


1.0207 


1.0212 


Empirical 0.99-BKZ-5 


1.0154 


1.0158 


1.0161 


1.0163 


Empirical 0.99-PotLLL 


1.0146 


1.0150 


1.0152 


1.0153 


Empirical 0.99-DeepLLL with /3 = 5 


1.0138 


1.0142 


1.0147 


1.0150 


Empirical 0.99-BKZ-lO 


1.0140 


1.0143 


1.0144 


1.0145 


Empirical 0.99-DeepLLL with (3 ^ 10 


1.0128 


1.0132 


1.0135 





Table 1; Worst case bound and average case estimate for 5-LLL reduction, 5-DeepLLL reduction, 5- PotLLL 
reduction and (5-BKZ reduction of the n-th root Hermite factor ll&ill^^" • vol (C)'^''" . The entries 
are sorted in descending order with respect to the observed Hermite factors. 



For the running time comparison. Figure lb shows that the observed order is similar to the 



order induced by the Hermite factors. LLL is fastest, followed by BKZ-5 and PotLLL, then by 
BKZ-10 and DeepLLL with /? = 5, and finally there is DeepLLL with /3 = 10. The running time 
of PotLLL and BKZ-5 is very close to each other for higher dimensions, while PotLLL is clearly 
slower for smaller dimensions. While Figure [lb] shows that BKZ-5 is usually slightly faster than 
PotLLL and BKZ-10 slightly faster than DeepLLL with /? = 5, the behavior is more interesting if 
one considers preprocessed and non-preprocessed bases separately. We do this in Figures [2] and [3j 
Recall that the unprocessed bases are bases in Hermite normal form, and the processed bases are 
the same bases run through 0.75-LLL. 
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In Figures [2] we compare the behavior for unprocessed bases in Herniite normal form. Every hne 
connecting bullets corresponds to the behavior of one algorithm for different dimensions. Again, the 
box surrounding a bullet is a confidence interval with confidence level 99.9%. The shaded regions 
show which Hermite factors can be achieved in every dimension by these algorithms. Algorithms 
on the border of the region are optimal for their Hermite factor: none of the other algorithms 
in this list produces a better average Hermite factor in less time. In Figure [2a| one can see that 
BKZ-5 produces worse output slower than PotLLL up to dimension 160. Also, BKZ-10 is inferior 
to DeepLLL with = 5 as it is both slower and produces worse Hermite factors. As the dimension 
increases, the difference in running time becomes less and less. In fact, for dimension 180 and 
larger, BKZ-10 becomes faster than DeepLLL with /3 = 5 (Figure 2b). 

On the other hand, for preprocessed bases, the behavior is different, as Figure [3] shows. Here, 
BKZ-5 is clearly faster than PotLLL and BKZ-10 clearly faster than DeepLLL with /3 — 5. In 
fact, for dimensions 60, 80 and 100, PotLLL is slower than BKZ-10 while producing worse output 



(Figure 3a). For higher dimensions, PotLLL is again faster than BKZ-10 (Figure 3b), though not 
substantially. Therefore, for preprocessed bases, it seems that BKZ-10 is more useful than PotLLL 
and DeepLLL with f3 — 5. 



5 Conclusion 

We present a first provable polynomial time variant of Schnorr and Euchner's DeepLLL. While the 
provable bounds are not better than for classical LLL - in fact, for reduction parameter 6 = 1, the 
existence of critical bases shows that better bounds do not exist - the practical behavior is much 
better than for classical LLL. We see that the n-th root Hermite factor of an n-dimensional basis 
output by PotLLL in average does not exceed 1.0153" for n < 300. 

For unprocessed random bases in Hermite normal form, PotLLL even outperforms BKZ-5. Our 
experiments also show that for such bases, DeepLLL with /3 = 5 outperforms BKZ-10. On the other 
hand, for bases which are already reasonably preprocessed, for example by applying 0.75-LLL to a 
basis in Hermite normal form, our algorithm is only slightly faster and sometimes even slower than 
BKZ-10, while producing longer vectors. 

It is likely that the improvements of the algorithm jNS06| and the algorithm pN^SVllj can 
be used to improve the runtime of our PotLLL algorithm, in order to achieve faster runtime. We 
leave this for future work. 

Moreover, deep insertions can be used together with BKZ as well. In particular, potential 
minimizing deep insertions can be used. We added classical deep insertions and potential minimizing 
deep insertions to BKZ. First experiments up to dimension 120 suggest that with regard to the 
output quality, BKZ-5 with potential minimizing deep insertions is better than PotLLL, but worse 
than BKZ-5 with classical deep insertions, which in turn comes close to BKZ-10. BKZ-10 with 
potential minimizing deep insertions is close to DeepLLL with /? = 5, and BKZ-10 with classical 
deep insertions close to DeepLLL with /3 = 10. For dimensions around 100, the speed of similarly 
performing algorithms also behaves similarly. 
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(a) Average n-tli root Hermite factor. 
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(b) Average logarithmic CPU time. 

Figure 1: Overview of performance of the algorithms for dimensions n {x axis) from 40 to 300 (using MPFR 
for n > 160). 
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(a) long double arithmetic. The highlighted areas represent dimensions 40, 80, 120 and 160. 
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(b) MPFR arithmetic. The highlighted areas represent dimensions 180, 220, 260 and 300. 

Figure 2: Comparison of n-th root Hermite factor {y axis) vs. running times {x axis) for both arithmetics 
for the original bases. 



13 



1.02002 



1.0 1 9 5 3 



1.01904 
1.0 1 8 5 5 



-^LLL 
o BKZ-5 
-^-PotLLL I 

DeepLLL-5 
-■-BKZ-10 
^ - DeepLLL-10[ 



I. 01807 

II. 01758 
h .0 1 7 91 
il.0166 
1.01611 



1.0 1 5 8 2 



r 




1.01514 
1.0148 
1.0141 
jl.0 1 3 8 
|l.0 1 3 1 8| 
1.0127 I 
1.01221 



0.01 56 I30.03T2 iO:0625 |0;T23Pf0.25 s 



I 




























t).5s- - 


Is 


2s 


4 s - - 


8 s 


16 s- 


32 s- llvorm 


2nrm 


4:2rm- 


8.5arn 


17.1 m 


34.r 



(a) long double arithmetic. The highlighted areas represent dimensions 40, 80, 120 and 160. 
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(b) MPFR arithmetic. The highlighted areas represent dimensions 180, 220, 260 and 300. 

Figure 3: Comparison of n-th root Hermite factor {y axis) vs. running times {x axis) for both arithmetics 
for preprocessed bases (0.75-LLL-reduced bases). 
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